The Juniper router must be configured to have Gratuitous ARP disabled on all external interfaces.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-254032 | SRG-NET-000362-RTR-000111 | JUEX-RT-000600 | SV-254032r844129_rule | 2024-06-10 | 2 |
| Description |
|---|
| A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same. It is used to inform the network about a host IP address. A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly, causing network malfunction. |
| ℹ️ Check |
|---|
| Review the configuration to determine if gratuitous ARP is disabled on all external interfaces. [edit interfaces] <external interface> { no-gratuitous-arp-reply; no-gratuitous-arp-request; unit <number> { family inet { address <IPv4 address>/<mask>; } family inet6 { address <IPv6 address>/<mask>; } } } If gratuitous ARP is enabled on any external interface, this is a finding. |
| ✔️ Fix |
|---|
| Disable gratuitous ARP on all external interfaces. set interfaces <external interface> no-gratuitous-arp-reply set interfaces <external interface> no-gratuitous-arp-request set interfaces <external interface> unit <number> family inet address <IPv4 address>/<mask> set interfaces <external interface> unit <number> family inet6 address <IPv6 address>/<prefix> |